Google Play Store update allows apps to silently gain control of your Device

Google just made a huge change to the way application permissions work on Android devices which has left a potential door open to malicious app developers and hackers.

Google narrows down Android's 145 permissions into 13 broad categories and groups app permissions into 'groups of related permissions', likely for Android users to have an easier time dealing with app permissions.

Unfortunately, the new update has introduced a few potential security and privacy issues, as listed below:

hiding permissions behind the group names

auto-updating app with no warning for new permissions

According to new update, once a user approves an app’s permissions, he actually approves the whole respective permission groups. For example, if an app want to read your incoming SMS messages, then it requires the “Read SMS messages” permission. But now installing an app, you are actually giving it access to all SMS-related permissions.

The app developer can then include additional permissions from ‘SMS-related permissions Group’, in a future update, which will not trigger any warning before installation.

If your Android apps update automatically, then malicious developers can gain access to new dangerous permissions without your knowledge by abusing this mechanism, though a smart user could manually view all permissions in a dropdown before installation, but one out of thousands does that.

For example, as you can see in the above screenshots - I am installing FIFA's android app from Google Play Store and before installation the app is asking for group permissions in left image and actual group permissions are expanded in the right-side image.

Similarly, if you install any app with group permissions to read contacts, later that app can secretly gain permission to add or even change calendar entries too.

Below I have listed some most abused Android app permissions that cyber criminals are exploiting for their personal gain: